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AUDITOR  GENERAL’S 
MESSAGE 

Transparency  and  accountability. 
These  two  words  capture  the  very 
essence  of  good  government.  State 
government  needs  to  be  transparent: 
nothing  should  be  hidden  and  every- 
thing should  appear  as  it  is.  State 
government  also  needs  to  be  account- 
able: it  exists  to  serve  the  people  of 
Illinois,  and,  as  such,  has  an  obligation 
to  provide  complete  and  timely  finan- 
cial and  programmatic  information  so 
that  citizens  can  make  informed  deci- 
sions about  their  State  government. 

My  Office  plays  an  integral  role  in 
helping  to  ensure  that  State  govern- 
ment is  transparent  and  accountable  to 
the  people.  The  Illinois  Constitution 
established  my  Office  to  audit  and  pub- 
licly report  on  the  State’s  finances,  as 
well  as  the  effectiveness  and  efficiency 
of  agency  operations. 

Increasingly,  my  auditors  have  been 
experiencing  delays  in  receiving 
requested  information,  failure  to  report 
suspected  fraud,  and  limited  access 
to  agency  personnel.  These  circum- 
stances threaten  our  ability  to  effec- 
tively carry  out  our  responsibilities 
and  are  unacceptable.  The  Advisory 
contains  excerpts  from  a speech  I gave 
earlier  this  year  where  I addressed 
trends  in  State  government  that  I find 
both  troubling  and  unacceptable. 

I encourage  you  to  carefully  read  my 
comments  from  my  May  15th  speech. 
These  comments  clearly  d<fscribe  my 
approach  to  forthcomipg^udits. 


WILLIAM  G.  HOLLAND 
September  2008 


The  following  are  excerpts  from  a speech 
the  Auditor  General  made  on  May  15, 
2008  to  the  Springfield  Chapter  of  the 
Institute  of  Internal  Auditors. 


Let  me  begin  by  congratulating  all  of  you 
on  the  3()th  anniversary  of  the  Springfield 
Chapter.  The  Chapter  has  been  a leader  in 
promoting  internal  auditing  not  only  in 
State  government,  but  also  in  other 
governmental  and  private  organizations. 

I have  had  the  privilege  of  speaking 
to  this  Chapter  on  several  occasions, 
including  in  1998  and  2004.  Tonight  I am 
here  to  rellect  on  what  I said  back  in  1998 
and  2004.  I will  also  discuss  the  current 
audit  process.  I’ll  outline  for  you  how  I 
intend  the  audit  process  to  proceed  in  the 
future. 

In  1998,  my  speech  focused  on  techno- 
logical threats  facing  State  government 
operations,  specifically  the  Y2K  issue  and 
hackers  accessing  our  vital  information 
systems.  These  threats  had  the  potential  to 
seriously  compromise  State  government 
operations,  and  as  such,  were  clearly 
unacceptable.  Recognizing  and  responding 
to  these  threats,  internal  auditors  played 
a vital  role  in  assessing  the  risks  they 
posed  and  ensuring  that  the  State  took  the 
necessary  steps  to  significantly  alleviate 
these  threats. 

In  2004,  I spoke  about  changes  in 
auditing  standards,  as  well  as  delays 
encountered  by  our  external  audit  process 
because  agencies  were  late  in  preparing 
their  financial  statements.  Furthermore, 
when  the  financial  information  was  submit- 
ted, in  many  cases  it  was  inaccurate  and 
unsupported.  This  was  unacceptable.  We 
still  encounter  problems  in  this  area, 
although  some  agencies  have  made  some 
improvements.  However,  this  continues  to 
be  problematic  and  the  number  of  Yellow 


Book  findings  pertaining  to  significant 
deficiencies  in  financial  reporting  are 
numerous. 

Now  we  turn  to  today.  Once  again,  we  are 
facing  serious  challenges.  The  success  of 
our  government  relies  on  two  fundamental 
principles:  accountability  and  transparency. 

Unfortunately,  much  of  what  1 see  occur- 
ring, when  viewed  from  an  accountability 
and  transparency  perspective,  is  unaccept- 
able. From  my  view,  your  impact  and 
iiinuence  have  been  eroded.  Again,  from 
my  view,  this  is  truly  unfortunate. 

For  instance,  over  the  past  several  years, 
internal  auditors  have  been  asked  to 
provide  non-audit  support.  Evidence  of 
this  diversion  of  resources  is  found  in  my 
Office’s  latest  compliance  examination  at 
CMS.  The  report  contained  a finding  which 
concluded  that  the  Illinois  Office  of 
Internal  Audit  did  not  complete  audits  of  all 
major  systems  of  internal  accounting  and 
administrative  control  as  required  by  the 
Fiscal  Control  and  Internal  Auditing  Act. 
For  the  two-year  audit  period  ending  June 
30,  2006,  the  lOlA  planned  to  conduct  196 
audits  but  only  completed  46  audits  (23%) 
with  an  additional  24  audits  (12%)  in 
progress. 

Another  disturbing  trend  in  recent  years 
that  1 believe  is  directly  related  to  the 
removal  of  internal  auditors  from  the 
agencies  is  the  increase  in  the  number 
of  findings  in  my  Office’s  financial  and 
compliance  audits.  For  audits  with  the 
period  ending  June  30,  2001,  there  were  a 
total  of  267  findings.  By  2006,  the  number 
of  findings  more  than  doubled,  to  608.  I 
appreciate  that  there  are  many  factors  that 
drive  the  number  of  findings  in  my  audits. 
However,  I believe  a primary  reason,  and 
very  likely  the  main  reason  for  the  increase 
in  audit  findings,  has  been  the  removal  of 
internal  auditors  from  the  agencies. 

See  CHAUJiSOES  on  Page  2 
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One  of  the  primary  responsibilities  of 
internal  auditors  prior  to  the  consolidation 
was  to  evaluate  systems  of  controls  and 
agency  operations,  identify  problems,  and 
take  corrective  action.  With  the  removal  of 
internal  auditors  from  the  agencies,  this 
critical  function  has  been  diminished. 

Finally,  Fd  like  to  briefly  discuss  some 
trends  or  agency  behaviors  that  have  been 
occurring  in  recent  years  that  1 will  no 
longer  accept. 

• Routine  requests  for  information  are 
being  submitted  to  “legal  staff'  for  prior 
approval  before  it  is  provided  to  my 
auditors.  I really  don’t  care  as  long  as  the 
review  does  not  result  in  sanitizing  the 
information  requested  or  result  in  delays. 
Both  are  unacceptable. 

• There  has  been  a trend  in  recent  years 
for  agencies  to  request  additional  time  to 
submit  responses  to  recommendations 
contained  in  my  audit  reports.  While  in 
rare  instances  an  extension  past  the  21 
days  allowed  by  regulation  may  be 
understandable,  I will  no  longer  be 
routinely  granting  extensions  to  agencies 
for  their  formal  responses.  These  delays 
are  unacceptable. 

• The  early  retirement  initiative  took  place 
5 years  ago.  Back  then  the  loss  of  knowl- 
edgeable, qualified  staff  was  a valid 
cause  for  problems  experienced  in 
agency’s  accounting  and  financial  opera- 
tions. Today,  it  is  still  being  cited  as 
a reason  for  some  of  the  problems 
agencies  are  experiencing  in  providing 
timely  information  to  auditors.  After  the 


passage  of  years,  agencies  should  have 
been  able  to  reassign  those  responsibili- 
ties to  other  competent  staff.  Failure 
to  have  reassigned  such  responsibilities 
is  unacceptable. 

• Today  we  are,  at  times,  experiencing 
inordinate  delays  in  agency  manage- 
ment’s preparation  of  financial  state- 
ments and  all  related  note  disclosures. 
These  delays  are  unacceptable. 

• We  have  gone  out  of  our  way  to  inform 
agencies  about  their  responsibility  to 
make  timely  disclosure  of  suspected 
fraud.  We  still  experience  problems  in 
this  area.  This  is  unacceptable.  (As  an 
aside,  when  we  discover  or  learn  about  a 
fraud  that  was  NOT  disclosed  to  us  in  an 
appropriate  manner,  our  professional 
skepticism  is  heightened.) 

• We  see  a trend  where  agency  manage- 
ment is  not  as  attentive  to  the  content  of 
the  management  representation  letters  as 
they  should  be.  It  is  true  these  letters 
contain  standard  boilerplate  language. 
But  the  words  have  real  meaning  - and 
we  take  them  very  seriously.  Glossing 
over  the  content  is  unacceptable. 

• More  than  ever  before,  we  now  have 
agencies  trying  to  restrict  our  unfettered 
access  to  agency  personnel.  Our  goal  is 
the  same  as  yours:  have  the  auditors  in 
the  office  for  as  little  time  as  possible. 
When  we  are  denied  access,  once  again 
our  professional  skepticism  is  raised. 
This  causes  delays.  This  denial  of  access 
or  restricted  access  to  agency  employees 
is  unacceptable. 

• We  are  now  faced  with  a new  challenge 
to  our  audit  access.  Recently  we  were 
told  by  an  agency  that  my  auditors  would 


have  to  work  at  the  location  of  the  shared 
services  activities.  Let  me  be  clear;  we 
will  focus  on  those  activities  of  the 
shared  services  initiative  that  are 
separate  and  apart  from  the  responsibili- 
ties of  the  individual  agency,  but  my 
auditors  will  NOT  routinely  or  always  be 
working  from  a satellite  location  to  audit 
the  principal  agency.  To  do  so  would  be 
unacceptable. 

So  what  is  my  recourse  to  all  these 
unacceptable  activities?  Well,  first  of  all  it 
begins  here.  Over  the  course  of  my  15 
years  as  Auditor  General  I have  sought  to 
be  fair.  One  of  the  keys  to  fairness  is  to 
make  sure  there  are  no  surprises.  1 want 
each  of  you  to  understand  my  position. 

As  I look  around  the  room,  I am  confi- 
dent that  the  challenges  we  face,  if  left  to 
tho.se  of  us  here,  would  be  resolved  in  a 
very  professional  manner.  In  this  room, 
there  is  nothing  but  professionals.  We 
know  how  to  disagree  without  being  dis- 
agreeable. I know  the  value  of  the  internal 
auditor  who  is  allowed  to  be  an  internal 
auditor.  You  know  the  value  of  the  external 
auditor  who  fairly  reports.  Together  we  are 
the  cornerstone  of  the  accountability  and 
transparency  1 di.scussed  in  the  beginning. 

It  is  my  sincere  hope  that  when  I address 
this  distinguished  group  in  another  5 or  10 
years  from  now  we  can  look  back,  as  we 
now  look  back  at  my  1998  and  2004 
speeches,  and  conclude  that  while  the 
problems  were  real  and  the  threats  to 
undermine  accountable  State  government 
were  real,  action  was  taken  to  strengthen 
the  internal  audit  function  within  the  State 
of  Illinois,  as  well  as  increase  the  level  of 
cooperation  in  dealing  with  my  Office’s 
external  audit  process.  ^ 


MANAGEMENT’S  RESPONSIBILITIES 


At  the  beginning  of  a financial  audit,  single  audit,  or  compli- 
ance attestation  engagement,  a Letter  of  Understanding/Hngage- 
ment  Letter  is  sent  to  agency  directors,  'fhe  Letter  contains  impor- 
tant information  which  explains  the  .scope  and  purposes  of  the 
upcoming  engagement,  as  well  as  specific  responsibilities 
management  is  expected  to  fulfill. 

Management  is  rcspotisible  for  establishing  and  maintaining 
effective  internal  control  and  for  compliance  with  laws,  regula- 
tions, contracts,  agreements  and  other  matters,  fhe  objectives  of 
internal  control  are  to  provide  management  with  rea.sonable,  but 
not  absolute,  assurance  that  assets  are  safeguarded  against  loss 
from  unauthori/cd  use  or  disposition,  and  that  transactions  are 
executed  in  accordance  with  management’s  authorizations  and 
recordcil  projicrly  to  permit  the  jircparation  ol  financial 
slatemcnis  in  accordance  with  generally  accepted  accounting 
principles  and  .SAM.S  rcc|uiremcnls. 
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Management  is  responsible  for  making  all  financial  records  and 
related  information  available  to  the  auditors.  Management  is 
responsible  for  providing  auditors  with  such  information  required 
for  the  audit  and  is  responsible  for  the  accuracy  and  completeness 
of  that  information.  Auditors  may  advi.se  management  about  appro- 
priate accounting  principles  and  their  application  and  may  provide 
advice  in  the  preparation  of  the  financial  statements,  but  the  respon- 
sibility for  the  financial  statements  remains  with  management. 

Management  is  responsible  for  the  design  and  implementation 
of  programs  aiul  controls  to  prevent  and  detect  fraud,  and  lor 
informing  aiulitors  about  all  kiuiwn  or  suspected  fraud,  or  illegal 
acts,  or  noncompliance  with  contracts  or  grant  agreements  affect- 
ing the  Department  involving  ( I ) management,  (2)  employees 
who  have  significant  roles  in  internal  control,  and  (.'^)  others  where 
the  fraud,  illegal  acts,  or  noncompliance  could  Itave  a material 
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HIGH-RISK  AREAS 


In  last  year’s  edition  of  the  Audit  Advisory,  we  initiated  an 
annual  series  that  examined  high-risk  areas  in  State  government 
operations.  These  are  areas  that  expose  the  State  to  an  unaccept- 
able level  of  risk.  The  five  high-risk  areas  on  our  2007  list  were; 
1)  Contracting  Processes;  2)  Subrecipient  Monitoring; 
3)  Financial  Reporting;  4)  Safeguarding  Confidential 
Information;  and  3)  Noncompliance  with  State  Laws. 

Audits  completed  in  2008  have  continued  to  have  findings  in 
these  areas.  In  addition,  a sixth  high-risk  area  - Shared  Services 
management  - has  been  added  in  2008.  The  following  sections 
summarize  the  five  high-risk  areas  repeated  from  2007,  and  exam- 
ine in  greater  detail  the  Shared  Services  management  risk  area 
added  in  2008. 

1.  CONTRACTING  PROCESSES 

The  contracting  process  poses  significant  risks  for  State  agen- 
cies and  is  susceptible  to  fraud  and  abuse.  There  are  a myriad  of 
ways  the  contracting  process  can  be  manipulated  or  abused. 
Consequently,  an  agency’s  system  of  internal  controls  related  to 
contracting  needs  to  be  strong,  monitored,  and  enforced. 

Contracting  deficiencies  have  been  routine  findings  in  OAG 
audits.  Examples  of  contracting  deficiencies  included;  untimely 
execution  of  contracts;  lack  of  documentation  for  the  evaluation, 
selection,  and  contracting  processes;  use  of  evaluation  criteria  that 
were  not  stated  in  the  RFP;  failure  to  competitively  procure 
contracts;  allowing  vendors  to  begin  work  without  a formal 
written  agreement  in  place;  failure  to  publish  the  required  notice 
of  awards  in  the  Procurement  Bulletin;  and  inadequate  agency 
review  of  billings. 

2.  SUBRECIPIENT  MONITORING 

State  agencies’  failure  to  adequately  monitor  subrecipients  has 
been  a central  finding  in  the  State’s  Single  Audit  for  years.  The 
FY  2006  Single  Audit  included  21  findings  and  the  FY  2007 
Single  Audit  had  26  findings  related  to  agencies’  deficiencies  in 
monitoring  subrecipients.  Agencies  covered  by  the  Single  Audit 
received  $16.7  billion  in  federal  funding  in  FY  2007,  of  which 
$3.5  billion  (or  21%)  was  passed  through  to  grantees. 

It  is  not  sufficient  for  agencies  to  simply  pass  funding  on  to 
third  parties.  Rather,  a system  must  be  established  to  monitor  how 
those  funds  are  being  spent  and  ensure  these  monies  are  being 
spent  for  the  specified  purpose.  Subrecipient  monitoring  includes 
many  aspects,  such  as  reviewing  and  receiving  grant  reports,  as 
well  as  some  level  of  on-site  reviews  or  inspections. 

3.  FINANCIAL  REPORTING 

Financial  reporting  errors  have  several  important  effects, 
including  increased  audit  testing,  delays  in  the  completion  of 
audits,  and  delays  in  the  preparation  of  the  Comptroller’s 


Comprehensive  Annual  Financial  Report  (CAFR).  Problems  with 
agencies’  financial  reporting  were  directly  responsible  for  the 
delay  in  the  issuance  of  the  $tate’s  most  recent  CAFR,  which  was 
issued  in  June  2008.  By  contrast,  in  2007  the  CAFR  was  issued  in 
February. 

Deficiencies  in  financial  reporting  included  late  preparation  of 
financial  statements  and  other  financial  reporting  forms  (GAAP 
forms)  and  improper  recording  or  misclassification  of  transac- 
tions, requiring  significant  revisions  to  financial  statements. 

4.  SAFEGUARDING  CONFIDENTIAL 
INFORMATION 

The  theft  or  loss  of  personal  information  is  an  increasing 
problem  in  the  $tate  of  Illinois.  Audits  have  identified  two  areas 
of  concern.  The  first  deals  with  inadequate  controls  over  the 
disposal  of  hard  copy  confidential  information.  The  second  area 
of  concern  is  a failure  to  ensure  adequate  security  over  computer 
systems  and  resources. 

A risk  management  approach  can  be  used  to  assist  in  a 
State  agency’s  responsibility  to  protect  confidential  and  personal 
information.  An  approach  may  include; 

• Review  of  all  IT  systems  to  identify  where  confidential  or 
personal  information  resides. 

• Assessment  of  the  need  to  obtain  and  retain  this  information. 
(For  example,  in  many  systems,  social  security  numbers  are  no 
longer  needed  as  a unique  identifier  and  can  be  eliminated). 

• Implementing  security  controls  to  protect  information  that  was 
deemed  necessary  to  meet  missions  and  mandates.  Security 
controls  include  limiting  access  to  only  those  that  require  access 
to  perform  job  duties  and/or  the  use  of  encryption  (translation 
of  data  into  an  unreadable  format). 

5.  NONCOMPLIANCE  WITH  STATE  LAWS 

The  primary  responsibility  of  State  agencies  is  to  implement 
and  administer  programs  and  functions  given  to  them  by  the 
General  Assembly.  Audits  routinely  find  that  agencies  are  not 
complying  with  these  mandates.  If  agencies  are  not  complying 
with  a law  because  they  believe  it  is  outdated  or  duplicative,  they 
should  seek  legislation  to  have  the  law  revised. 

6.  SHARJED  SERVICES  MANAGEMENT 

Executive  Order  2006-06,  effective  March  31,  2006,  formally 
created  Divisions  of  Shared  Services  at  the  Departments  of 
Revenue  and  Corrections.  The  purpose  of  the  Shared  Services 
Center  is  to  provide  common  administrative  functions,  such  as 
fiscal  and  human  resources  services  and  support  services  to 

See  HIGH-RISK  on  Page  4 
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Continued  from  page  3 

multiple  State  agencies.  The  Administrative  and  Regulatory 
Shared  Services  Center  at  Revenue  was  established  to  provide 
these  services  to  three  administrative  and  regulatory  agencies:  the 
Departments  of  Central  Management  Services.  Financial  and 
Professional  Regulation,  and  Revenue.  The  Public  Safety  Shared 
Services  Center  at  Corrections  covers  nine  State  agencies  with 
public  safety  functions,  including  State  Police,  Corrections,  and 
the  State  Fire  Marshal. 

The  Executive  Order  noted  that  combining  these  core  adminis- 
trative functions  would  improve  the  State’s  ability  to  effectively 
provide  services  to  State  agencies,  promote  cross-training, 
improve  career  development  for  State  employees,  improve  inter- 
activity of  State  operations,  and  eliminate  duplicate  functions 
within  State  agencies. 

On  March  31. 2008,  Executive  Order  2008-1  was  issued  which 
would  have  created  three  additional  Shared  Services  Centers. 
Flowever,  both  the  House  of  Representatives  and  the  Senate 
subsequently  passed  Resolutions  disapproving  Executive  Order 
2008-1.  Consequently,  the  creation  of  the  three  additional  Shared 
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Services  Centers  was  not  approved  by  the  General  As.sembly. 


While  there  may  be  benefits  to  the  Shared  Services  structure, 
there  are  also  risks.  These  risks  include  the  following: 


• Lack  of  planning  to  effectively  implement  and  coordinate  with 
user  agencies; 

• Eunds  spent  on  Shared  Services  Centers  which  did  not  receive 
the  approval  of  the  General  Assembly; 

• Eiscal  and  human  resources  needs  of  user  agencies  not  being 
adequately  met  by  the  Shared  Services  Centers;  and 

• User  agencies  being  billed  or  providing  funding  for  services 
they  did  not  receive  or  without  adequate  support  documenting 
the  basis  of  the  billings  (as  prior  OAG  audits  found  with  the 
efficiency  initiative  billings  agencies  received  from  the  Dept,  of 
Central  Management  Services). 

During  the  upcoming  audit  cycle  we  will  be  reviewing  the 

implementation  of  the  Shared  Services  structure.  ■ 


MANAGEMENT 

Continued  from  page  2 

effect  on  the  financial  statements  and 
compliance  assertions. 

Management  is  also  responsible  for 
informing  auditors  of  its  knowledge  of  any 
allegations  of  fraud  or  suspected  fraud, 
illegal  acts,  or  noncompliance  affecting  the 
agency  that  were  received  in  communica- 
tions from  employees,  former  employees, 
grantors,  regulators,  or  others.  Our  office 
is  aware  that  such  matters  may  be  the  sub- 
ject of  inquiry  by  the  FAecutive  Office  of 


Inspector  General,  State  Police,  Attorney 
General,  or  prosecutorial  agency  and,  as 
such,  management  may  have  been  advised 
to  keep  such  matters  confidential.  Please 
note  that  management  is  still  required  to 
respond  to  the  auditor’s  inquiries  about 
suspected  fraud,  illegal  acts,  or  noncompli- 
ance in  a forthright  and  truthful  manner.  If 
necessary,  management  may  coordinate  its 
respon.se  with  the  Executive  Office  of 
Inspector  General,  State  Police,  Attorney 
General,  or  prosecutorial  agency. 


Auditors  will  request  written  representa- 
tions from  your  attorneys  as  part  of  the 
engagement,  if  necessary.  Further,  at  the 
conclusion  of  the  audit,  auditors  will  also 
require  certain  written  representations 
from  management  about  the  financial 
statements  and  related  matters.  Each 
agency’s  full  cooperation  and  timeliness  is 
critical  to  the  audit  process.  As  discussed 
in  this  Advisory,  incomplete  or  inaccurate 
responses  and  delays  in  responding  will 
not  be  tolerated.  ■ 
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